Malware is a general term used for software that infiltrates a computer, commonly without obtaining the owner's consent, and performs adverse operations, such as collection of personal information, advertisement, configuration change, download and execution of other programs. Malware is commonly understood to include spyware, adware, computer viruses, and Trojans. Sometimes malware is also referred to as pestware or a computer contaminant.
By way of example, FIG. 1 illustrates a process of infecting a computer by malware via an application program 110, such as an internet browser 110 that is used to access a web server 120 through a network 130. During a normal mode of operation of the internet browser 110, scripts and small programs are downloaded and executed for legitimate reasons, e.g. to enable animation and other features used to create compelling web sites. However, these scripts and small programs can also become delivery mechanisms for malware 140. Once installed on the computer platform, malware code may corrupt specific files and settings 150 to render them unusable or to support malicious activities, such as tracking of Internet usage, display of unwanted advertising, and intercepting of personal information. It has to be noted that the application 110 may be an application other than an internet browser. Other applications connected to the network, such as e.g. an email client, can potentially conduct malware to a computer platform. The application 110 providing malware to the system can itself be corrupted by malware the same way as other applications.
The growth of distributed computing environments, particularly TCP/IP environments, has created an increased need for computer security, especially for protecting an operating system, application software, and stored data. According to a study performed by the National Cyber-Security Alliance malware may have affected 90% of home computers, making malware a major issue in the computer world.
A number of methods and systems for preventing or lessening the negative effects of malware are known in the art.
One group of anti-malware tools includes software intended to detect the effects of malware by searching files currently present or being introduced to a computer environment for a match with a known malware definition. For example, U.S. Pat. No. 6,663,000 issued to Muttik et al. on Dec. 16, 2003 discloses malware scanner containing a malware scanner engine, an updater, and malware definition data, wherein different components of the scanner validate each other.
In another example, U.S. Pat. No. 6,772,345 issued on Aug. 3, 2004, attempts to filter malware before it infects a platform. It describes a method of detecting malware that comprises the steps of: a) receiving a data stream, b) scanning the data stream at a protocol level to detect malware, c) removing the detected malware from the data stream, and d) transmitting the data stream without the malware.
This approach has limitations due primarily to the changing nature of the malware, which requires a high degree of diligence continually monitoring the ways in which malware is delivered. An inherent disadvantage of the disclosed methods is a delayed response caused by the time needed for malicious activities to be reported, analyzed by experts, and software updates with new malware definitions are prepared by experts and finally installed by users.
Another group includes methods and software tools for automatic recognition of suspicious activities. For example, US Pat. Application No. 20060075501 by Thomas et al teaches a system that comprises a heuristics engine and a number of shields designed to monitor for pestware and for typical pestware activity, e.g. key-logging. The shields report any suspicious activity to the heuristics engine. If the same activity is reported repeatedly, that activity can be automatically blocked or automatically permitted—depending upon the user's preference. The heuristics engine can also present the user with the option to block or allow an activity.
A fundamental problem with such methods is that initially malware is allowed to infect a computer platform and only after the malware has already been installed, an attempt is made to recognize and remove it. FIG. 2 illustrates current approaches to malware containment. An application 250, e.g. an Internet browser, is connected to a network, its interaction with the computer platform is filtered as shown in step 260. If a potential malicious activity is detected, a decision 270 is made if the operation should continue 220 or abort 230. The decision 270 is either pre-configured or the user is prompted for an input. If no malicious activity is suspected by the filter 260, the application operates in a regular way as shown by arrow 240, with no additional user interaction.
Additionally to the inherent delayed response discussed above, another disadvantage of this approach is that an ultimate decision on allowance of suspicious software activity, the decision either pre-configured or made at a prompt, is provided by the user who is not always competent enough and may not know the full extent of activities of the software in question. The decision is never made with 100% confidence, and a possible error causes either aborting the useful operation or infecting the computer platform.
Methods and tools of yet another group are designed to avoid or at least lessen effects of malicious activities generally without detecting presence of malware. US Patent Application 20060031940 by Rozman et al. teaches a system having a first memory space and a second memory space, wherein applications not connected to a network are allowed to access both the first and second memory spaces, while applications connected to the network are allowed to access only the second memory space, thus making the first memory space protected from malware delivered by the network-connected applications. This method may however require modifications to the applications and/or architectural or hardware changes to the system used to host those apps.
US Pat. Application 20060085685 by Cheston et al. discloses a method for computer system rejuvenation, wherein an image is created of the primary drive and stored in a second nonvolatile storage area. When the computer system becomes sluggish, the primary drive is reformatted and the image is copied from the second nonvolatile storage area to the primary drive. User data files and application and operating system settings are copied into the nonvolatile storage area and restored on the primary drive after the rejuvenation. Any malware stored on the computer system is wiped off when the computer system is periodically restored. A disadvantage of this method relates to disruption of computer's availability and possible loss of data and changes to the system not properly saved and documented.
It is an object of this invention to provide a method for protection of a computer system against malware effects which is not-disruptive to the system operation and does not rely on user expertise.